- Container base is
debian:buster - Uses
python 3 - Installs the
zkgpacket manager
- Container base is
debian:buster - Uses
python 3 - Has python bindings
Zeek can be scripted. Per default, it will load the script at $ZEEK_HOME/share/zeek/site/local.zeek. See also the zeek-ctl#zeek-scripts documentation.
You can mount a directory to /opt/zeek/share/zeek/site to set custom scripts for Zeek to use.
$ docker build . -t fixel/zeek:latest
$ docker build . -f Dockerfile_broker --build-arg BROKER_VERSION=v1.4.0 -t fixel/zeek:broker-latest
You can find a container image on docker hub: fixel/zeek
The container expects that you pass arguments to it, everything is passed to the zeek command. To listen on the interface enp0s31f6 you would run this:
$ docker run --net=host --name=zeek --rm -ti fixel/zeek -i enp0s31f6
The logs will be stored in /var/log/zeek, which is marked as docker volume. You can extract the logs by the usual means of container management.
Zeek IDS can only leverage one processor core. But it can be run in a worker cluster setup to share the computational costs of traffic processing. Find a docker based Zeek IDS worker cluster on github: 0ortmann/zeek-cluster, on docker hub: fixel/zeek-cluster.